GDPR is nearly upon us, is your website GDPR compliant?

What is GDPR?
The General Data Protection Regulation (GDPR) is a series of changes to the way that data is captured, used and managed for everyone in the EU. The purpose of this regulation is to give everyone better control of the data that can be captured and used about them. Any person you hold information on has the right to request you erase their data. So, if an individual asks you to remove their data from your systems, you have to do so.

When does it come into effect?
25th May 2018, so not long now. There is still time to get prepared but 25th May will come around quickly.

Who will this affect?
Any business that holds, collects or uses customer data for their marketing or business communications. So, if you have a website that contains a ‘contact us form’ then it will affect you. You’ll need to review your processes and ensure you are compliant by the deadline.

What are the consequences of not being GDPR-compliant?
Well, I hope you’re sitting down. Worst case scenario, the associated fines of non-compliance are up to €20 million, or 4% of your global turnover — whichever is greater. Yep, you read that right.

But the UK is leaving the EU! So I don’t really need to worry, right?
Wrong.
We’re not out of the EU yet! When the GDPR comes in to effect, the UK will still remain in the union. According to The Great Repeal Bill, EU laws will be incorporated into Britain’s new position outside of the EU. The government is expected to keep GDPR in UK law, to make sure that communication and trade continues to be shared smoothly with the EU after we leave. Also, just in case you needed another reason — unless you’re planning on denying EU citizens or residents access to your products or services, you’ll still need to follow the new rules or pay the fines.

So how do you make your website GDPR compliant?1 Forms: Active opt-in
If you’ve got forms on your website which invite visitors to subscribe to newsletters or indicate their contact preferences, the check-boxes attached to these invitations will need to be defaulted to “no” or be blank. You can’t force your user to actively opt-out with pre-selected tick-boxes anymore; that’s classed as bad user experience, and definitely needs to be changed by May.

2. Unbundled opt-in
In addition to the above, you need to clearly set out the options separately and in plain English. For example, the acceptance of your terms and conditions needs to be clearly separated from your contact permissions. It needs to be totally unambiguous what action they’re taking by selecting these options.

3. Granular opt-in
Your users need to be able to provide separate consent for different types of communication (post, email, SMS, telephone etc.) For example, they need to be able to tick email communications, but not post, if they want to.

4. Make it easy to withdraw consent
It needs to be as easy to withdraw permissions as it was to grant them.
So make sure your contact preferences page is really, really easy to find.

5. Named parties
What exactly are they agreeing to? Your web forms must clearly identify each party for which the consent is being granted. It isn’t enough to say specifically defined categories of third-party organisations; they now need to be named.

6. Privacy notice and terms and conditions
You’ll also need to update your terms and conditions on your website to reference GDPR terminology. You’ll particularly need to make it clear about what you intend to do with the information once you’ve received it, and how long you’ll retain this information both on your website and elsewhere. You’ll also need to communicate how and why you’re collecting data, so you should transparently detail any software or applications you’re using to help facilitate that.

7. Online payments
If you’re an e-commerce business using a payment gateway for financial transactions, you need to also be aware of your own website collecting any personal data before passing the details onto the payment gateway.
If your website’s storing these personal details after the information has been passed on, then you’ll need to modify your web processes to remove any personal information after a reasonable period. The GDPR legislation is not actually explicit about the number of days, apparently, but it could be, say, 60 days after.

8. Third-party tracking software
Now, here’s where it gets a little tricky. A lot of businesses now use a third-party marketing automation software solution these days. These might be lead-tracking or call-tracking applications.
The use of these kinds of tracking applications is a bit of a grey area when it comes to GDPR, but it does raise some interesting questions. They seem to track users in ways they wouldn’t expect, and as such, users have not granted consent. For example, are you tracking your visitors each time they return to your website or view a specific page on your site?

9. Google Analytics
Loads of websites these days are configured to use Google Analytics to track user behaviour. Luckily, it’s always been an anonymous tracking system — there’s no “personal data” being collected. So it seems that GDPR might not have much of an impact on its usage.
Nevertheless, Google has stated their commitment to complying with applicable data protection laws. They said they’re working hard to prepare for the new changes and have placed keeping user information safe as one of their highest priorities.

10. Check your existing data
You’ll also need to check the data you have stored in various places around your business. Make sure you have a good understanding and documented record of the data you hold. Who has agreed to you storing their info? How have they consented? And when did they consent? All the answers to these questions need to be readily available. Essentially, unless you need to keep certain data, it could be a liability for your business and should probably be deleted.

11. Finally, is your site and CMS secure?
Websites that use HTTPS send data over an encrypted connection, so you need to make sure your website has an SSL certificate. Your CMS provider should also address this, because if your database itself is unencrypted, your contacts will be left exposed in a breach.

So there you have it!

Some useful tips on how to start getting ready for GDPR with regards to your digital marketing. But it’s not just your website that will be affected; it will of course change the way you run your entire business so make sure you’re researching the subject as much as you can!

Got a question? Feel free to call us on 01752 296 666 or contact us and we will be able to help you with anything Website-GDPR related.